rule RAN_BigLock_Jun_2021_1 {
   meta:
        description = "Detect BigLock ransomware"
        author = "Arkbird_SOLG"
        reference = "https://twitter.com/fbgwls245/status/1400971422336311297"
        date = "2021-06-05"
        hash1 = "877c612cf42d85b943010437599b828383ecdf02a17e2b017367db34637e5463"
        level = "Experimental"
        tlp = "White"
        adversary = "-"
   strings:      
        $s1 = { 33 d2 33 c9 44 8d 42 07 ff 15 97 20 04 00 4c 89 64 24 60 48 c7 44 24 68 07 00 00 00 66 44 89 64 24 50 41 b8 3f 00 00 00 48 8d 15 7e de 04 00 48 8d 4c 24 50 e8 24 5b ff ff 48 83 7c 24 60 00 0f 84 a0 00 00 00 0f 57 c0 33 c0 0f 11 45 90 0f 11 45 a0 0f 11 45 b0 0f 11 45 c0 0f 11 45 d0 0f 11 45 e0 48 89 45 f0 0f 11 44 24 70 48 89 45 80 48 8d 54 24 50 48 83 7c 24 68 08 48 0f 43 54 24 50 48 8d 44 24 70 48 89 44 24 48 48 8d 45 90 48 89 44 24 40 4c 89 64 24 38 4c 89 64 24 30 c7 44 24 28 00 00 00 08 c7 44 24 20 01 00 00 00 45 33 c9 45 33 c0 33 c9 ff 15 fa 1b 04 00 85 c0 74 26 ba ff ff ff ff 48 8b 4c 24 70 ff 15 b6 1c 04 00 48 8b 4c 24 78 ff 15 9b 1d 04 00 48 8b 4c 24 70 ff 15 90 1d 04 00 48 8b 54 24 68 48 83 fa 08 72 37 48 8d 14 55 02 00 00 00 48 8b 4c 24 50 48 8b c1 48 }
        $s2 = { e8 4e da 01 00 4c 89 64 24 60 48 c7 44 24 68 07 00 00 00 66 44 89 64 24 50 41 b8 43 00 00 00 48 8d 15 e5 dd 04 00 48 8d 4c 24 50 e8 0b 5a ff ff 48 83 7c 24 60 00 0f 84 a0 00 00 00 0f 57 c0 33 c0 0f 11 45 90 0f 11 45 a0 0f 11 45 b0 0f 11 45 c0 0f 11 45 d0 0f 11 45 e0 48 89 45 f0 0f 11 44 24 70 48 89 45 80 48 8d 54 24 50 48 83 7c 24 68 08 48 0f 43 54 24 50 48 8d 44 24 70 48 89 44 24 48 48 8d 45 90 48 89 44 24 40 4c 89 64 24 38 4c 89 64 24 30 c7 44 24 28 00 00 00 08 c7 44 24 20 01 00 00 00 45 33 c9 45 33 c0 33 c9 ff 15 e1 1a 04 00 85 c0 74 26 ba ff ff ff ff 48 8b 4c 24 70 ff 15 9d 1b 04 00 48 8b 4c 24 78 ff 15 82 1c 04 00 48 8b 4c 24 70 ff 15 77 1c 04 00 48 8b 54 24 68 48 83 fa 08 72 37 48 8d 14 55 02 00 00 00 48 8b 4c 24 50 48 8b c1 48 81 fa 00 10 00 }
        $s3 = { 45 33 c0 48 2b d0 48 8d 4d c7 e8 ba cf ff ff 0f 10 45 c7 0f 11 45 07 0f 10 4d d7 0f 11 4d 17 4c 89 6d d7 48 c7 45 df 07 00 00 00 66 44 89 6d c7 41 b0 01 48 8d 55 07 e8 bd 0b 00 00 90 48 8b 55 1f 48 83 fa 08 72 37 48 8d 14 55 02 00 00 00 48 8b 4d 07 48 8b c1 48 81 fa 00 10 00 00 72 19 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 0f 87 f9 09 00 00 e8 34 b6 01 00 90 ba 08 01 00 00 e8 d1 39 ff ff 4c 8b c0 48 c7 45 d7 04 01 00 00 48 c7 45 df 07 01 00 00 41 0f b7 c5 49 8b f8 b9 04 01 00 00 66 f3 ab 66 45 89 a8 08 02 00 00 4c 89 45 c7 48 8d 55 c7 48 83 7d df 08 49 0f 43 d0 44 8b 45 d7 48 8d 0d 83 c7 04 00 ff 15 7d f8 03 00 8b d0 48 8b 45 d7 48 3b d0 77 19 48 8d 45 c7 48 83 7d df 08 48 0f 43 45 c7 48 89 55 d7 66 44 89 2c }
        $s4 = { 48 8b c3 48 8b 4d b7 48 2b c1 48 83 f8 15 0f 82 7b 04 00 00 4c 8d 4d a7 48 83 7d bf 08 4c 0f 43 4d a7 48 c7 44 24 30 15 00 00 00 48 8d 05 69 c2 04 00 48 89 44 24 28 48 89 4c 24 20 48 8d 4d 07 e8 86 17 00 00 90 45 33 c0 48 8d 55 07 e8 89 05 00 00 90 4c 8b 45 1f 49 83 f8 08 72 0c 49 ff c0 48 8b 55 }
     condition:
        uint16(0) == 0x5a4d and filesize > 100KB and 3 of ($s*)
}
